Phishing emails are fraudulent emails that attempt to persuade people to click on malicious links, download attachments laden with malware, or extract sensitive information from people (e.g. user account details, financial or other personal information).
They typically mimic recognisable organisations or individuals, with the use of correct layouts, logos, and similar sender addresses making them difficult to spot. Targeted phishing emails are known as spear-phishing attempts, with such emails being tailored to particular individuals or organisations. These personalised messages are more likely to resonate with the recipients, and thus have a greater chance of success.
Phishing emails typically rely on people’s trust in, and automatic responses to, communications from particular senders. However, other types of online scams must build their ‘personas’ from scratch.
Online romance scams develop fake profiles of individuals who are supposedly looking for love on online dating sites
For example, online romance scams develop fake profiles of individuals who are supposedly looking for love on online dating sites. These scams rely on building trust over time with their victim, and commonly engender traits that are considered to represent ‘trustworthy people’ in particular cultures (such as widowed businessmen or military personnel). They also use a number of influence techniques to develop relationships that can be particularly intense.
As a psychologist, I try to understand the thought processes behind whether people choose to respond to an online scam. What is it that makes people think a phishing email is genuine? What motivates them to respond to a scam? How much does it depend on the individual person, the wider context that they are in, or the design of the message itself?
When I tell people what research I do, I am often faced with one of two responses. This is either 'Well, that’s easy, people who respond to scams are just stupid, aren’t they?' or 'I know someone that has happened to / that happened to me … it was really bad!'
Both of these answers can be very disheartening, albeit for very different reasons.
First, there is a common assumption that phishing emails and other online scams are easy to spot. People commonly refer to poor spelling and grammar, very suspicious sender addresses, and references to 'Nigerian Princes who want to give them millions of pounds'.
Although these types of scam do generate income for scammers, they do not represent the typical phishing email. The problem is that these common stereotypes of what a phishing email looks like can influence people’s judgements, making them less likely to be suspicious of emails that do not display these characteristics.
What is it that makes people think a phishing email is genuine? What motivates them to respond to a scam?
Increasingly, scammers are creating more sophisticated scams, aided by the availability of technology and people’s personal information being displayed on social media.
Media reports have described phishing emails targeting homebuyers; with scammers accessing email accounts and crafting fake emails that appear exactly like legitimate communications from solicitors requesting payment of deposits.
The sending of these emails was timed to match people’s current expectations and varied only in the sender address, although even this inconsistency was difficult to spot. One example had simply one ‘s’ missing from the company name.
If people are in a hurry, distracted, or simply assume that an expected email is genuine, then they are unlikely to notice such minor inconsistencies.
The second response to my research can be the most difficult to hear.
People may have lost £1000s (sometimes 10s or 100s of thousands). They can feel a range of emotions, including guilt and self-blame, or anger and upset at the lack of help available in recouping their losses and the lack of support from external organisations. They can feel used, losing trust in strangers and losing confidence in their usual activities.
The fact that I come across so many people who have direct experience of a scam in my everyday life demonstrates that this problem is not going away anytime soon.
Advances in technology mean that it is increasingly easy for scammers to target large numbers of people across geographical boundaries, resulting in a continually evolving battle between scammers and those who try to stop them.
So, what can we do about this susceptibly?
By trying to understand what makes people susceptible to online scams, it is hoped that more effective mitigations can be developed in the future. This will likely require a combination of training, education, system design, and regulatory approaches.
In order to achieve this, a multi-disciplinary collaboration between academia and practitioners is vital and represents the most promising means of addressing this complex and multi-faceted problem in the future.
As part of CREST’s commitment to open access research, this text is available under a Creative Commons BY-NC-SA 4.0 licence. Please refer to our Copyright page for full details.
IMAGE CREDITS: Copyright ©2023 R. Stevens / CREST (CC BY-SA 4.0)